High-intensity operation: Between Poka-Yoke and Machine ...

GSI Helmholtzzentrum für Schwerionenforschung GmbH


High-intensity operation: Between Poka-Yoke and

Machine Protection

FC2WG, C. Omet, 21.10.2015


SIS100: Main Parameters – a versatile machine

Circumference: 1083.6 m

(5 x length of SIS18)

Superperiodicity: 6

Cells per period: 14

Focusing structure: Doublet

108 Dipoles (superferric)

1.9 T, 4 T/s

Nominal current: 13.1 kA

168 Quadrupoles (superferric)

27.8 T/m

Nominal current: 10.5 kA

Extraction modes:

Fast, 1...8 bunches

Slow, KO-Extraction up to 10 s

Acceleration for every ion from

protons to uranium (and beyond?)

Variable quadrupole powering for 𝛾𝑡𝑟

shifting or 𝛾𝑡𝑟-jump

5

Item RIB (U28+) CBM (U92+) Protons for pbar

Magnetic rigidity @ extr. 𝐵 ⋅ 𝜌 [Tm] 27 ...64 ... 100 100 100

Energy range @ extr. 𝐸 [GeV/u] 0.4 ... 1.5 ... 2.7 10.7 28.8

Max. repetition rate 𝑓𝑟𝑒𝑝 [Hz] 0.35 (slow)

0.50 (fast)

0.09 0.4

Relativistic 𝛾 ... 3.9 12.4 31.9

Transition energy 𝛾𝑡𝑟 15.5 14.3 18.3 (45*)

Tune 𝜈𝑥,𝑦 17.3/17.8 (slow)

18.9/18.8 (fast)

17.3/17.8 10.4/10.3

(21.8/17.7*)

Number of ions per cycle 𝑁 5 x 1011 1.5 x 1010 2 x 1013

Max. number of ions per second [1/s] 1.8 x 1011 (slow)

2.5 x 1011 (fast)

1.5 x 10 9 8 x 1012

Extracted bunch form 1-10 s spill (slow)

Single bunch 70ns (fast)

10-100 s spill Single bunch 50ns

Stored beam energy 𝐸𝑏𝑒𝑎𝑚 [kJ] 51.5 6.1 93.0

Emittance @ inj. 𝜖𝑥,𝑦 [mm mrad] 34 x 14 15 x 5 12 x 4

Emittance @ extr. 𝜖𝑥,𝑦 [mm mrad] 1 x 4.0 (slow)

9.6 x 4.0 (fast)

1.0 x 0.7 2.0 x 0.7

Geometrical Acceptance:

3 x maximum emittance

Dynamic Aperture:

3.4 sigma


SIS100: Lattice design criterias

1. Length: 5 x SIS18 length (= 1 083.6 m)

2. Reference ion operation: U28+

Localize beam ionization losses

Control vacuum pressure

3. Secondary ion: Protons

Variable 𝛾𝑡-optics by multiple quadrupole families

Fixed 𝛾𝑡-optics utilizing fast 𝛾𝑡-jump quadrupoles

4. RF system

Room temperature cavities, dispersion free straight sections

State-of-the-art bunch manipulations: Bunch merging &

compression, Barrier buckets

5. Versatile extraction modes

Fast bipolar Kicker system (internal emergency dump)

Slow extraction: KO-excited beam, resonant extraction

3

SIS100

SIS300

Images courtesy of M. Konradt / J. Falenski


SIS100: Lattice design

Doublet focusing structure: up to 100%

collimation efficience reachable with focusing

order DF

First called “storage mode lattice” because many U29+

particles survived one complete turn.

Dipoles act as a charge state separator when bending

angle per cell is chosen correctly.

Quadrupoles are stronger than obviously necessary

(over-focussing) to assure survival of beam until it

reaches the collimator (which gives other problems

protons).

U29+ loss positions are nicely peaked at the

position of the collimators

Dynamic vacuum calculations showed that in

spite of the very well controlled losses, a huge

pumping speed will be required

Cold vacuum chambers

SC magnets

4


Risk assessment

What to protect? 1. Lives (people)!

2. Health (people)!

e.g. losing the thumb losing one eye partial disability

3. Environment

Radiation, chemicals,

EMC (Electromagnetic Compatibility, not E=mc²)

Noises

...

4. Machine

Damage of expensive equipment (> 100,000,000 € !)

Long-running replacement times / repair times

Damage

Activation (“1 W/m” 1 mSv/h after 4 h @ 40 cm after 100

days of operation)

Availability

Legal necessity §§ 5, 6 Arbeitsschutzgesetz, § 3 Betriebssicherheitsverordnung

§ 6 Gefahrstoffverordnung, §§ 89, 90 Betriebsverfassungsgesetz

What remains? Residual risks (for radiation protection: ALARA = As Low As Reasonable

Achievable)

5

This talk PED


Hazard and Risk for accelerators

● Hazard: a situation that poses a level of threat to the accelerator. Hazards are dormant or potential, with only a theoretical risk of damage. Once a hazard becomes “active”: incident / accident. Consequences and possibility of an incident interact together to create RISK, can be quantified:

RISK = Consequences ∙ Probability

Related to accelerators:

● Consequences of an uncontrolled beam loss

● Probability of an uncontrolled beam loss

● The higher the RISK, the more Protection is required

R. Steinhagen


Consequences of a release of 600 MJ at

LHC

Arcing in the interconnection

53 magnets had to

be repaired

The 2008 LHC accident happened during test runs without beam.

A magnet interconnect was defect and the circuit opened. An electrical arc provoked a He

pressure wave damaging ~600 m of LHC, polluting the beam vacuum over more than 2 km.

Over-pressure

Magnet displacement

R. Schmidt


Incidents happen

2008 SPS run

• Impact on the vacuum chamber of a 400 GeV beam of 3x1013 protons (2 MJ).

• Event is due to an insufficient coverage of the SPS MPS (known !).

• Vacuum chamber to atmospheric pressure, downtime ~ 3 days.

Risk = (3 days downtime + dose to workers) x (1 event / 5-10 years)

R. Steinhagen


Incidents happen

JPARC home page – October 2013

Risk = (9 month downtime + dose to workers) x (1 event / 12 years)

R. Steinhagen


JPARC incident – May 2013

• Due to a power converter failure, a slow extraction was transformed into a fast extraction.

Extraction in milliseconds instead of seconds.

• As a consequence of the high peak power, a Gold muon conversion target was damaged and radio-isotopes were released into experimental halls.

Machine protection coupled to personnel protection!

• Investigations and protection improvements done, J-PARC restart after ~9 month.

One insufficiently covered failure case had major consequences !


Risk Management Gradient

RISK

Poka-Yoke 'Mistake Proofing'

minimising machine activation (ALARA principle)

Machine Protection

preventing quenches intercepting common mistakes, procedural errors, etc.

affecting machine performance

investment protection Use-cases:

Devices:

FAIR (SW) Interlock System

Sequencer & operational procedures

FAIR-SIS100 Fast Beam Abort Sys. (HW Interlock System)

FAIR Machine & System

Design

Systems:

passive absorbers, machine optics, material choices

PC, FMCM (?), QPS, FCT, BLMs, ...

???

time-scales: 100 ms 50 us < turn 10s of seconds → minutes/hours

LSA, settings monitoring, ...

R. Steinhagen


Poka-Yoke (ポカヨケ) – 'Mistake-Proofing'

● To avoid (yokeru) inadvertent errors (poka)

● Industrial processes designed to prevent

human errors

– Concept by Shigeo Shingo: 'Toyota Production

System' (TPS, aka. 'lean' systems)

● Common mistakes, procedural errors, etc.

affecting machine performance

● Real-World Examples:

– Polarity protection of electrical plugs (e.g.

phone, Ethernet cable)

SIS18 profile grid connectors

– Procedures: e.g. ATM machine: need to

retrieve card before money is released (↔

prevents missing card)

R. Steinhagen

0

20

40

60

80

100

120

-30 -20 -10 0 10 20 30A

/ a

.u.

X / mm

0

20

40

60

80

100

120

-30 -20 -10 0 10 20 30A

/ a

.u.

X / mm


FAIR Machine Protection Concepts

● Machine & System Design

– Passive absorbers, machine optics, collimation system, material choices, ...

● Active protection

– Fast-Beam-Abort System (SIS100 & SIS18, turn → 'ms'-scale)

– Setup-Beam-Flag (SBF)

● Beam is safe for playing with, “Pilot beam”

– Interlock System (slow, '~100 ms' scale)

– Beam Transmission Monitoring System

● Procedural protection

– Beam-Presence-Flag (BPF)

● no high-intensity beam injection into previously empty machine

– Management of Critical Settings

– Poka-Yoke

● Intensity Ramp-up Concept

– Don't inject high-intensity beam without having the optics & machine performance checked with lower intensity beams

● Sequencer (guide/help operation to avoid common mistakes)

R. Steinhagen


Proposal:

FAIR Beam Modes – State Diagram

Post-Mortem/ Beam Dump

Recovery: No Beam

No Beam

Pilot Beam

Intensity Ramp-Up

Adjust

Stable Beams/ Production

cool down + cycling after magnet quench or main PS failure N.B. beam mode = machine mode

Here'd be Happiness producing physics beams most settings locked-down

basic accelerator setup injection extraction typically with (but not limited to) low setup intensities (SBF=true)

normal operational path error/fault case low-intensity

always start here:

mag. cycles only e.g. RF conditioning

Verification of machine-protection functionality Minor adjustment of intensity related effects (e.g. ∆Q(intensity))

Tune beam parameters (within limits) to suit the experiments needs/performance

“handshake”

N.B.: 1) omitted arrows to 'No Beam'/'Pilot Beam' for better

visibility (always possible) 2) modes follow existing normal setup routine, initial

transition acknowledged by operator, subsequent driven automatically by sequencer

R. Steinhagen


Machine protection

In the past (and present operation of SIS18),

devices protect only themselves

Caused e.g. by media supply, short circuit, ...

Usually instantly power down and

generation of an interlock.

When a device powers down, the result for the

machine could be bad

Magnets can quench (by beam energy deposition,

insufficient cooling, ...),

Sensible equipment could be damaged by beam

heating

S-FMEA (System Failure Modes and Effect Analysis)

has to be done.

Foreseen to protect the machine:

Collimation systems (passive protection)

Equipment monitoring and beam monitoring

Quench detection and protection (QD/QP)

Interlock systems

Emergency kicker + dump

15

1. Avoid that a specific failure can happen

2. Detect failure at hardware level and stop beam

operation

3. Detect initial consequences of failure with

beam instrumentation

How to stop beam operation:

1. Inhibit injection

2. Extract beam into emergency beam

dump or

3. Stop beam by beam absorber /

collimator


Is activation an issue?

Yes!

Components have to be human maintainable, so (uncontrolled!) activation has to be limited.

Hands-on-maintenance: Dose rate < 1 mSv/h at a distance of 40 cm after 100 days of operation and 4 hours of downtime.

Standard assumption for protons: Uncontrolled losses have to be < 1 W/m 5…10% protons at 4…28.8 GeV/u

For heavy ions: < 5 W/m 20% U28+ at 200 MeV/u 10% U28+ at 2.7 GeV/u Already larger than dynamic vacuum effects allow.

Controlled losses: Extraction sector S5 is already prepared; components have to be remote / fast serviceable (Magnetic + Electrostatic septa, radiation resistant quadrupoles).

Halo collimators, Cryo catchers would be more activated.

Building design has got separate beam and supply areas. The latter would be accessible without any activation problems.

16

Supply area

Beam tunnel


Beam impact on accelerator

components

SIS100 stored beam energy

Ions: 3.7 ... 51.5 kJ

11.2 g TNT / 1.5 ml Kerosine (a few drops)

Protons: 12.9 ... 93.0 kJ

20.2 g TNT / 2.7 ml Kerosine (half a tea spoon)

Melting/sublimation of acc. components (stainless steel):

SPS event with 450 GeV beam: Vacuum chamber burnt through with 2

MJ beam

Experimental damage limit for protons ~52 kJ/mm²

SIS100: with protons: ~1 kJ/mm²

PS: ~1 kJ/mm²

Bragg peak has to be considered

Temperature should not be an issue (details on the next pages)

Quench limit of SC cable (Cu/NbTi)

Nuclotron cable: ~1.6 mJ/g [1]

Quench recovery time:

10 min at the Serial Test Facility,

~1 h in the SIS100

[1]: Some Aspects of Cable Design for Fast Cycling Superconducting Synchrotron Magnetism Khodzhibagiyan,

Kovalenko, Fischer, IEEE TOAS Vol. 14, No 2, 2004

17

Courtesy of R. Schmidt / CERN


Is melting an issue? (I)

9

• SIS18 beam onto FRS target

– Cu, Al und C Targets, 1 mm thick.

– Graphite no problems.

• Strong focused x=0.44 mm y = 0.99 mm, 125 MeV/u,

7x109…1x1010 U28+/ Spill.

• Sometimes, up to 100 shots were necessary to drill a

hole.

• Average power was only ~1 W, but peak energy ~3 kJ/g.

• Process: target melts spontaneous but hardens again

before next shot (only radiation cooling).

H. Weick


Is melting an issue? (II)

Take damage limit for protons onto steel (52

kJ/mm² ~ 1 kJ/g)

Protons: max. 93 kJ beam energy, beam spot size

r=0.75 mm

Ions: max. 51.5 kJ beam energy, beam spot size

r=0.56 mm ignored dE/dx!

One should think those spot sizes can not be

achieved at maximum energy by optics of the

machine:

ravg=3.8 mm (2) for p gt-shift optics

ravg=5.4 mm (2) for ion optics

But when calculating temperature rise

analytically:

thin targets, no phase transition

no shock waves, no heat transfer or radiation

• Full design beam power for

Protons: no problem!

Heavy ions (5x1011 U28+) are above the limit!

But: Before it comes to melting, s.c. magnets will

quench already (6 orders of magnitude earlier)

Material Steel Cu G11 Al

Used in Yoke, He-

pipes

Chambers

Coils,

busbars

Coil

support

Therm.

shield

Melting Temp. / K 1,921 1,358 422 933

Specific heat c / J/(g*K) 0.49 0.39 0.60 0.90

Latent melting heat / J/g 270 205 ~200 396

Total melting energy density

(T=15 K) / J/g

1,204 722 436 1,220

Total melting energy density

(T=293 K) / J/g

1,068 615 277 970

Density r / kg/m³ 7,870 8,920 1,820 2,700

Proton beam spot radius for

melting @15K / mm

0.4 0.5 0.9 0.4

Max. DT for proton beams with

3.8mm spot radius / K

28 35 32 17

Uranium beam spot radius for

melting @15K / mm

5.6 7.1 12.6 5.8

Max. DT for Uranium beams

with 5.4mm spot radius / K

2,291 2,838 2,386 1,388

19

Δ𝑇 =𝑁 ∙ 𝑑𝐸/𝑑𝑥

𝑐 ∙ 𝐴 ∙ 𝜌

Cross section

of a quadrupole


Heating of materials by the beam

20 C. Omet, HINT2015

1x1010 U28+ are „not dangerous“ do not cause instant permanent

damage by melting room temperature sections of SIS100...

Safe beams / pilot beams should contain at maximum half / a quarter of

that intensity!

0

500

1.000

1.500

2.000

2.500

3.000

1E+10 1E+11

Tem

pera

ture

ris

e D

T / K

U28+ @ 2.7 GeV/u

Steel

Copper

Aluminum

Epoxy

Δ𝑇 =𝑁 ∙ 𝑑𝐸/𝑑𝑥

𝑐 ∙ 𝐴 ∙ 𝜌


Potential beam damage in SIS100:

Slow extraction

When a

full intensity high energy heavy ion beam spirals out

in a short time (µs...ms) and

hits a small volume (e.g. wires, thin vacuum chambers)

especially at room temperature regions,

material can melt.

Unavoidable during slow (KO) extraction: Heavy ions colliding with

the electrostatic septum wires are stripped and lost

At least ~10 % of the beam will hit the wires during slow

extraction.

W-Re wires day 0 version: 100 µm “thick”, final version: 25 µm

thick (thermal / stability issues)

Warm (radiation hard) quadrupoles behind the septum.

Loss will be controlled (collimator / low desorption rate surface).

Step width of particles at slow extraction has to be limited to avoid

over-heating of the wires

Low intensity pilot beams,

Phase space tomography,

Limiting extraction length at full heavy ion intensity to durations

e.g.> 5 s.

Active protection with beam loss monitors (BLM’s)

21

Septum wire

position


Emergency dump of SIS100

Part of the active machine protection.

Emergency dump system:

Fast bipolar kicker magnets for extraction,

2.5 m long, internal absorber block below the magnetic

septum #3.

Design:

No need for synchronous ramping of beam line to the external

dump and “dead time” during ramp up of HEBT switching

magnets.

Beam dump will happen in ~26 µs after generation of request

fast enough for nearly all processes.

Various abort signals will be concentrated in a switch matrix

(allows masking of some sources e.g. for low intensity

beams). Incorporation of e.g. experiment aborts is easily

possible.

Kicking into a coasting beam will result in up to 25% beam

losses (smear out after emergency dump). Have to develop

more sophisticated methods (Shut off KO extraction, rebunch,

kick?).

Absorber:

Special chamber in lower part of magnetic septum #3

20 cm graphite in front, 225 cm absorber (W, Ta, ...)

Tilted or saw-tooth surface to smear out Bragg peak in the

absorber material (limits temperature rise).

22

6cm

0

5

10

15

20

25

30

Abort Signal to Kickerfire at injection

Abort Signal to Kickerfire at extraction

Dela

y /

µs

Kicker Fire

Signal propagation delay (x2)

Find beam gap


FLUKA simulations of

emergency dump

Simulation assumptions 5.0*1011 U28+, 1.0-2.7 GeV/u

2.5*1013 p, 29.0 GeV/u

Gaussian beam distribution with x/y = 3 mm

Full beam energy deposited within < 1 µs

No melting, but absorber surface has to be

inclined (e.g. by 20° which gives a factor of 4

less temperature rise).

Both maximum and average energy depositions

are well below quench limit.

With W instead of Ta, energy deposition in the

SC quadrupole coils drops by another 30%.

23

SS

15

dis

tan

ce

alo

ng

y-a

xis

(cm

)

E [J

/cm

3]

distance along z-axis (cm)

U28+, 2.7 GeV/u

E [J

/cm

3]

20 o

Quench limit 1.6 mJ/g ≈ 0.2 mJ/cm³

Ion Max. Coil

energy

deposition

/ mJ/g

Avg. Coil

energy

deposition

/ mJ/g

Quench

margin

2.5x1013 p, 29 GeV 0.29 0.063 5.5 / 25.4

5.0x1011 U28+, 1.0 GeV/u 0.01 0.003 145 / 592

5.0x1011 U28+, 2.7 GeV/u 0.10 0.025 16 / 64


Risk assessment:

System-FMEA

Failure Modes and Effects Analysis (FMEA) on the system level of SIS100 Goal: Identify the machine failures in a rational

approach,

Done according to IEC 61508,

Standardized values for personnel safety,

Subjective chosen values for machine protection (separately!).

Only single errors are accounted for!

How to get Lambda or MTTF (Mean Time To Failure) values ? Experience with existing or similar

components/prototypes, ... GSI data,

Nuclotron data,

LHC data.

Calculated (on a per-part basis) according to ISO 13849-1:2008 and MIL Handbook for SCU (Scalable Control Unit):

𝜆 = 8,626 FIT MTTF (Mean Time To Failure) = 13.2 years

Quench detection cards from KIT: 𝜆 = 1,240 FIT MTTF = 92 years

24

Severity Meaning for

personnel

Meaning for the

machine Examples

S1 Minor injuries at worst

Short accelerator

recovery time

MTTR < 2 h

• Target irradiated wrongly

• Magnet quench

• Superficial damage of a beam pipe

• Fuse blown

• Machine activated

S2 Major injuries to one or more persons

Accelerator

recovery time

MTTR < 1 d

• Target destroyed

• Protective devices (e.g. at septum)

burnt through

• Safety valves in He supply or return

blown

S3 Loss of a single life

Long shutdown

MTTR < 1 a

• Septum wires burnt through

• He safety valves of cryostats blown

• Busbar/cables burnt

• Holes in beam pipes

S4 Multiple loss of life

Catastrophe • Should never happen!

1 FIT = 1 Failure in 109 h


Risk assessment:

How to define SIL levels?

When defining a safety function, e.g.:

„Dump Magnet Energy when a quench occurs“, how

reliable the function has to be?

S3: Damage so large that downtime >> 1d

A1: No personnel present when powering S.C. magnets!

G1: It is possible to prevent the magnet from quenching

(e.g. observing temperature)

W2: Possibility for a quench is >5%, but <25% of

operation time

SIL3 is necessary for achieving a safe quench

detection and dump resistor activation, PFH<1x10-7

failures/h.

Other example: PSS: “Deny user request to enter

restricted area during beam operation.”

also SIL3, but with PFD<1x10-3 failures/demand.

15

Low demand [failure/request] High demand or continuous

request [failure/h]

Average probability of dangerous

failure at request of the safety

function Average probability of dangerous

failure of the safety function

SIL / PL PFDavg, min (>=) PFDavg, max (<) PFHmin (>=) PFHmax (<)

4 / e 1,00E-05 1,00E-04 1,00E-09 1,00E-08

3 / d 1,00E-04 1,00E-03 1,00E-08 1,00E-07

2 / c 1,00E-03 1,00E-02 1,00E-07 1,00E-06

1 / b 1,00E-02 1,00E-01 1,00E-06 1,00E-05

Risk graph


Risk assessment:

Magnets, busbars, current leads

Failures:

Quenches

Thermal runaways

Turn-to-GND short

Turn-to-Turn short

Most severe failures:

Quenches (destroys busbars or magnet coils)

Dipole:

full beam could hit the E-Septum wires in ~1 ms

Quadrupole, Chrom. Sextupole, Res. Sextupole,

Octupole:

beam could hit the Halo collimators, E-Septum wires or

external targets / detectors during slow extraction in ~1 ms

Chosen mitigations:

Magnet interleaving Quench Detection (QD)

Emergency dump for detected failures (started just before

magnet energy dump)

Interlocks

Failsafe behavior:

~99% reduction of risk

Already incorporated in hardware design (SIL3 for QD!)

Turn-to-Turn shorts only detectable during commissioning

and pilot beam operation!

26


Risk assessment:

Power Converters

Failures:

DCCT or control loop causes more or less current than set

IGBT shorts

Media (cooling water) or sensor failures

Primary Voltage supervision sensor failures

PE failures (dipoles, quadrupoles, septum 3)


Dipole PC:

full beam could hit the E-Septum wires in ~1 ms

Quadrupole, Chrom. Sextupole, Res. Sextupole,

Octupole, Radres. Quadrupoles PC’s:

beam could hit the E-Septum wires or external targets /

detectors during slow extraction in ~1 ms

Chosen mitigations:

Redundant DCCT in some cases

Emergency dump for detected failures (started just before

magnet energy dump)

Interlock

Failsafe behavior:


Still (minor) modifications in hardware design necessary

27


Risk assessment:

RF acceleration system

Failures:

LLRF Amplitude control/DAC failure

LLRF DDS / Group DDS failure

Cavity GAP Arc ignition, shorts

Resonance frequency control failure

Driver / Power Amplifier failures

B2B Transfer unsynchronized

Media or sensor failure

50 Ohm Terminator failure

Most severe failure:

Gap arc ignition:

At least a part of beam will hit cryo collimators (spiraling into

it in around 1 ms), happens quite often

Chosen mitigations:

Emergency dump for detected failures

Interlock (for media or sensor failures)

Failsafe behavior


Minor modifications in hardware/software design are

necessary

28


Risk assessment:

Injection/Extraction system

Failures:

Single kicker does not fire, voltage deviation

Single kicker fires unintentionally

E-Septum sparking


E-Septum sparking:

full beam could hit E-Septum wires

Single extraction kicker does not fire / voltage deviation:

beam can hit septum or HEBT / detectors / targets

Chosen mitigations:

Emergency dump

partial beam loss can not be prevented

no warning time

up to ~30% beam loss when kicking in coasting beam

during slow extraction

Low intensity pilot beam for optimizing settings

E-Septum has to be actively protected (wire supervision)

“Cleaning” of beam which remains after extraction kick onto the

emergency dump.

Failsafe behavior:

89% reduction of risk

Further tracking studies will follow to identify and reduce risks

29


Risk assessment:

Global/Local cryogenic system

Failures: Valve or valve control failure

He supply/return line rupture or leak

Voltage breaker leakage or rupture

Valve bellow rupture

Compressor / pressure regulation failure

Most severe failures: Voltage breaker leakage or rupture: Paschen limit, repair time

Valve bellow and He supply/return line rupture: long shutdown for

repair

Most failures would result in quench, but this is detected by

pressure / temperature sensors and QD.

Chosen mitigations: Pressure readout, Emergency dump (started with magnet energy

dump, which is more important) for fast processes

Interlock for slow processes

QA (Quality Assurance) for all weldings and QD (Voltage tabs) for

all interconnections

Maintenance plans for valves

Failsafe behavior: 88% reduction of risk

Care has to be taken in design and read-out of insulation vacuum

pressure (cold cathode gauges) – some failures have short rise

times.

30


Risk assessment:

Control system

Hardware, Software and Operators

Failures: Wrong data delivered to device

Timing system does not trigger all effects possible...

Slow extraction efficiency too low

Feedback systems (Orbit, TFS, LFS) fail (currently not calculated)

Most severe failures: Software errors: full beam could hit anywhere

Physic model errors: full beam could hit anywhere

Operator thinks in the wrong direction: full beam could hit anywhere

Chosen mitigations: Low intensity pilot beam for verifying optics, physics model and

machine settings, intensity ramp up concept, locking of critical

parameters at high intensities

BLM’s, Transmission supervision, Emergency dump

Optics check for machine setting parameters, Training for operators

Data check (read-back) of machine settings (cyclic every few

minutes); Set and Actual Value - window comparison

Failsafe behavior ~99% reduction of risk

Human factors still an issue

SCU and timing system already designed with very large MTBF

31


Risk assessment:

Beam dynamics and others

Failures:

Beam instabilities (difficult to estimate correctly)

Beam in kicker gap

UHV pressure rise, vacuum leakage, FOD (objects in

vacuum chamber – LEP, ESR, SIS18)

HEBT / Experiment note ready, EMC, Earthquakes, … (not

calculated)


Beam instabilities

Cold UHV chamber leaks (long

downtimes for repair!).

Chosen mitigations:

Emergency dump

BLM’s, cryo catcher current readout

Robot for searching “UFO”s

Failsafe behavior:

33% reduction of risk

One never knows what high energy / intensity or

compressed beams do in real

Beam physics studies are ongoing

32

SIS18 “UFO“


SIS100 risk assessment:

Results

33

• Most severe (hard to detect at warm and long repair

times): cold leaks / defects.

• Heavy ion beam power of SIS100 is high enough to

damage sensible equipment (e.g. e-septum).

• All devices are designed self-protecting when

internal failures occur, but not necessarily have

optimum behavior with respect to the beam. Work is

progressing to improve this.

• For emergency dump: Beam losses caused by

spurious errors (e.g. power converter problems, RF

failures, quenches, ...) as well as dynamically

unstable beams can be mitigated effectively by the

emergency dump system.

• By failsafe concept, up to 85% of the total failures in

time can be detected or mitigated.

• Given 6,000 h operating hours per year, an

availability of 66% (3,957 h/a) is currently

estimated.

1E+03

1E+04

1E+05

1E+06

1E+07

1E+08

1E+09

?

Cry

o c

olli

mato

rs

Em

erg

en

cy D

um

p (

1S

54S

D1)

E-S

eptu

m W

ires

Halo

coll.

, E

-Sep

tum

Wires

Halo

colli

ma

tors

Ma

gnetic S

eptu

m, H

EB

T o

rT

arg

et / D

ete

cto

rs

Ma

gnetic S

eptu

m?

FIT

Beam loss location

Safe Failures Dangerous Detected Failures Dangerous Undetected Failures


Comparison of SIS100 with CERN PS

Similarities SIS100 (gt-

shift settings)

PS

Particles per cycle 2*1013 3*1013

Injection energy / GeV 4.0 1.4

Extraction energy / GeV 28.8 20.0

Stored energy Inj. / kJ 12.7 6.8

Stored energy Extr. / kJ 91.1 96.9

Max. beam radius Inj. / mm 29 29

Max. beam radius Extr. / mm 12 8

Min. beam radius Inj. / mm 3.6 17.7

Min. beam radius Extr. / mm 1.5 5.6

Differences SIS100 PS

Magnet type SC NC

Beam pipe vacuum chamber

thickness / mm

0.3 1.5

Heavy ion beam energy / kJ 51.5 ~7.1

for Proton operation:

• For p operation, CERN PS and SIS100 similar in energy and spot size (=damage potential); for heavy

ions, SIS100 is more dangerous...

• No major accidents in PS due to beam losses

• Spot size in SIS100 even larger with gt-jump settings

• LHC (one beam): 362 MJ => 4 000 times more energy!


2.5*1013, 29 GeV Protons energy deposition in the dump

After an absorber length of 1 m:

hardly any primary protons left

homogeneous energy distribution by

secondaries

Temperature values well below the

sublimation/melting points

Energy deposition values in upper and lower

coils identical within 30 %

35


5*1011 U28+, 2.7 GeV/u energy deposition in the dump

36

distance along z-axis (cm)

E [J

/cm

3]

Graphite dump (20cm) Tantalum absorber (225 cm)

projections in YZ plane,

averaged over x view from

the top

projections in XY plane,

averaged over z

view along the beam direction

σy=0.3cm σy=0.6cm

High-intensity operation: Between Poka-Yoke and Machine ...

Documents

Transcript of High-intensity operation: Between Poka-Yoke and Machine ...